A Notorious hacking group USDOD recently announced they had stolen a vast amount of personal data from a major data broker. Now, a member of the group has reportedly made much of this stolen information available for free on a platform that trades in stolen personal data.
This breach, which includes Social Security numbers and other sensitive details, poses significant risks such as identity theft and fraud, according to Teresa Murray, director of the U.S. Public Interest Research Group (PIRG).
“If this data truly represents a comprehensive dossier on countless individuals, it is far more concerning than previous breaches,” Murray noted in an interview. “If people haven’t been cautious before, this should be a serious wake-up call for them.”
A class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, claims that the hacking group USDoD announced in April that they had stolen personal records of 2.9 billion people from National Public Data, a company that provides personal information for background checks. The group initially offered the stolen data, which includes records from the U.S., Canada, and the U.K., for $3.5 million on a hacker forum, according to a cybersecurity expert who posted this information on X (formerly Twitter). Bloomberg Law covered the lawsuit.
Recently, a supposed member of USDoD, who goes by the name Felice, stated in a hacking forum that they were releasing “the complete NPD database,” according to a screenshot obtained by BleepingComputer. This data allegedly contains around 2.7 billion records, each with an individual’s full name, address, date of birth, Social Security number, phone number, and additional names and dates of birth.
National Public Data has not commented on the breach and has not officially informed individuals about it. However, the company has told those who reached out via email that they are “aware of certain third-party claims about consumer data and are investigating these issues.” The company also mentioned that it had “purged the entire database,” essentially opting out everyone, though it may still retain some records to meet legal obligations.
News outlets specializing in cybersecurity that have reviewed parts of the leaked data indicate that it appears to be legitimate. If the leak is as extensive as claimed, it poses several risks and suggests several protective measures.
The leaked information likely includes much of what banks, insurance companies, and other service providers need for account setup and password changes. However, some crucial details are missing, such as email addresses, which are often used for account logins, and photos of driver’s licenses or passports used for identity verification.
Despite these gaps, Murray cautions that the leaked data could be used for various malicious activities. The greatest concern is the potential for identity theft and unauthorized access to financial accounts, insurance policies, and other sensitive information. With a person’s name, Social Security number, date of birth, and address, fraudsters could create new accounts in the victim’s name or try to gain control of existing accounts by persuading someone to reset passwords.
“For someone skilled in these activities, the potential for exploitation is vast,” Murray said. “The possibilities are virtually limitless.”
To protect yourself in light of this breach, consider the following steps:
- Monitor Your Accounts: Regularly check your bank and credit card statements for any unauthorized transactions. Sign up for alerts if your financial institutions offer them.
- Place Fraud Alerts: Contact one of the major credit bureaus (Equifax, Experian, or TransUnion) to request a fraud alert on your credit report. This makes it harder for identity thieves to open new accounts in your name.
- Consider a Credit Freeze: A credit freeze restricts access to your credit report, making it more difficult for identity thieves to open accounts in your name. You can lift the freeze temporarily if needed.
- Update Passwords: Change passwords for your online accounts, especially those related to banking, email, and social media. Use strong, unique passwords for each account and consider a password manager to keep track.
- Review Your Credit Reports: Obtain and review your credit reports from the three major credit bureaus to ensure there are no suspicious activities or accounts you didn’t open.
- Be Cautious with Personal Information: Be wary of unsolicited requests for personal information and avoid sharing sensitive data over email or phone unless you’re certain of the recipient’s legitimacy.
- Stay Informed: Keep an eye on news regarding the breach and any updates from National Public Data or other relevant authorities.
By taking these precautions, you can better protect yourself against the potential fallout from this massive data breach.